From 350683121f768fab48f27e54f2297b709340b915 Mon Sep 17 00:00:00 2001
From: jdx <216188+jdx@users.noreply.github.com>
Date: Tue, 12 May 2026 13:51:59 -0500
Subject: [PATCH] ci(zizmor): scope push trigger and disable advanced-security
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Address review feedback on PR #471.

- Add paths filter to the push trigger so the job only runs when
  workflow files change on main (matches the pull_request trigger).
- Set advanced-security: false on zizmor-action. With the default
  true, the action runs codeql-action/upload-sarif which needs
  security-events: write — the job only grants contents: read.
  Disabling it also makes zizmor's exit code drive CI failure,
  matching the "fails CI on any finding" intent.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/zizmor.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index a83ac7c..90ad35f 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -2,6 +2,7 @@ name: zizmor
 on:
   push:
     branches: [main]
+    paths: ['.github/workflows/**']
   pull_request:
     paths: ['.github/workflows/**']
 
@@ -17,3 +18,5 @@ jobs:
         with:
           persist-credentials: false
       - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false